SRX

As per the topology in the attached image, I have configured a simple lab with two vSRX in EVE-NG. I can ping the other end of the ge-0/0/0 link, but I cannot ping the loopback address of the other router. Can anyone see what's missing/wrong in the config or is this a bug with EVE-NG? Thank you!

R1 config:

set version 23.2R2.21
set system host-name R1
set security zones security-zone ABC host-inbound-traffic system-services ping
set security zones security-zone ABC interfaces lo0.10
set security zones security-zone ABC interfaces ge-0/0/0.0
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.1/30
set interfaces fxp0 unit 0
set interfaces lo0 unit 10 family inet address 10.1.1.1/32
set routing-options static route 10.2.2.2/32 next-hop 10.0.0.2

R2 config:

set version 23.2R2.21
set system host-name R2
set system services ssh
set security policies
set security zones security-zone ABC host-inbound-traffic system-services ping
set security zones security-zone ABC interfaces lo0.10
set security zones security-zone ABC interfaces ge-0/0/0.0
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.2/30
set interfaces fxp0 unit 0
set interfaces lo0 unit 10 family inet address 10.2.2.2/32
set routing-options static route 10.1.1.1/32 next-hop 10.0.0.1

R1 output:

root@R1> show route 

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.0.0/30        *[Direct/0] 00:13:55
                    >  via ge-0/0/0.0
10.0.0.1/32        *[Local/0] 00:13:55
                       Local via ge-0/0/0.0
10.1.1.1/32        *[Direct/0] 00:13:55
                    >  via lo0.10
10.2.2.2/32        *[Static/5] 00:13:55
                    >  to 10.0.0.2 via ge-0/0/0.0

root@R1> ping 10.0.0.2 
PING 10.0.0.2 (10.0.0.2): 56 data bytes
64 bytes from 10.0.0.2: icmp_seq=0 ttl=64 time=3.619 ms
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=1.679 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=1.619 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=1.752 ms
^C
--- 10.0.0.2 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.619/2.167/3.619/0.839 ms

root@R1> ping 10.2.2.2 
PING 10.2.2.2 (10.2.2.2): 56 data bytes
^C
--- 10.2.2.2 ping statistics ---
18 packets transmitted, 0 packets received, 100% packet loss

R2 output: 

root@R2> show route 

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.0.0/30        *[Direct/0] 00:09:23
                    >  via ge-0/0/0.0
10.0.0.2/32        *[Local/0] 00:09:23
                       Local via ge-0/0/0.0
10.1.1.1/32        *[Static/5] 00:09:23
                    >  to 10.0.0.1 via ge-0/0/0.0
10.2.2.2/32        *[Direct/0] 00:09:23
                    >  via lo0.10

root@R2> ping 10.0.0.1 
PING 10.0.0.1 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: icmp_seq=0 ttl=64 time=3.382 ms
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=1.627 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=2.390 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=1.553 ms
^C
--- 10.0.0.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.553/2.238/3.382/0.737 ms

root@R2> ping 10.1.1.1 
PING 10.1.1.1 (10.1.1.1): 56 data bytes
^C
--- 10.1.1.1 ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss

Hello! You need a security policy from zone ABC to zone ABC to allow the traffic. Technically the ping is transit traffic first with lo0 as the outgoing interface, so you need a policy. The the ping loops back in and hits the host-inbound rules for the zone .

Use show security packet-drop records to confirm. You should see your pings listed there as dropped by the system default policy.

------------------------------
Nikolay Semov

Original Message:
Sent: 06-22-2025 06:33
From: Anonymous
Subject: Two connected routers in EVE-NG - Unable to ping loopback address of other router

This message was posted by a user wishing to remain anonymous

As per the topology in the attached image, I have configured a simple lab with two vSRX in EVE-NG. I can ping the other end of the ge-0/0/0 link, but I cannot ping the loopback address of the other router. Can anyone see what's missing/wrong in the config or is this a bug with EVE-NG? Thank you!

R1 config:

set version 23.2R2.21
set system host-name R1
set security zones security-zone ABC host-inbound-traffic system-services ping
set security zones security-zone ABC interfaces lo0.10
set security zones security-zone ABC interfaces ge-0/0/0.0
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.1/30
set interfaces fxp0 unit 0
set interfaces lo0 unit 10 family inet address 10.1.1.1/32
set routing-options static route 10.2.2.2/32 next-hop 10.0.0.2

R2 config:

set version 23.2R2.21
set system host-name R2
set system services ssh
set security policies
set security zones security-zone ABC host-inbound-traffic system-services ping
set security zones security-zone ABC interfaces lo0.10
set security zones security-zone ABC interfaces ge-0/0/0.0
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.2/30
set interfaces fxp0 unit 0
set interfaces lo0 unit 10 family inet address 10.2.2.2/32
set routing-options static route 10.1.1.1/32 next-hop 10.0.0.1

R1 output:

root@R1> show route 

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.0.0/30        *[Direct/0] 00:13:55
                    >  via ge-0/0/0.0
10.0.0.1/32        *[Local/0] 00:13:55
                       Local via ge-0/0/0.0
10.1.1.1/32        *[Direct/0] 00:13:55
                    >  via lo0.10
10.2.2.2/32        *[Static/5] 00:13:55
                    >  to 10.0.0.2 via ge-0/0/0.0

root@R1> ping 10.0.0.2 
PING 10.0.0.2 (10.0.0.2): 56 data bytes
64 bytes from 10.0.0.2: icmp_seq=0 ttl=64 time=3.619 ms
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=1.679 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=1.619 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=1.752 ms
^C
--- 10.0.0.2 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.619/2.167/3.619/0.839 ms

root@R1> ping 10.2.2.2 
PING 10.2.2.2 (10.2.2.2): 56 data bytes
^C
--- 10.2.2.2 ping statistics ---
18 packets transmitted, 0 packets received, 100% packet loss

R2 output: 

root@R2> show route 

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.0.0/30        *[Direct/0] 00:09:23
                    >  via ge-0/0/0.0
10.0.0.2/32        *[Local/0] 00:09:23
                       Local via ge-0/0/0.0
10.1.1.1/32        *[Static/5] 00:09:23
                    >  to 10.0.0.1 via ge-0/0/0.0
10.2.2.2/32        *[Direct/0] 00:09:23
                    >  via lo0.10

root@R2> ping 10.0.0.1 
PING 10.0.0.1 (10.0.0.1): 56 data bytes
64 bytes from 10.0.0.1: icmp_seq=0 ttl=64 time=3.382 ms
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=1.627 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=2.390 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=1.553 ms
^C
--- 10.0.0.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.553/2.238/3.382/0.737 ms

root@R2> ping 10.1.1.1 
PING 10.1.1.1 (10.1.1.1): 56 data bytes
^C
--- 10.1.1.1 ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss